---
layout: commands
page_title: 'Commands: ACL Token Update'
---

# Consul ACL Token Update

Command: `consul acl token update`

The `acl token update` command will update a token. Some parts of the token like whether the
token is local to the datacenter cannot be changed.

## Usage

Usage: `consul acl token update [options]`

#### API Options

@include 'http_api_options_client.mdx'

@include 'http_api_options_server.mdx'

#### Command Options

- `-description=<string>` - A description of the token

- `-id=<string>` - The Accessor ID of the token to read. It may be specified as a
  unique ID prefix but will error if the prefix matches multiple token Accessor IDs

- `merge-node-identities` - Merge the new node identities with the existing node
  identities.

- `-merge-policies` - Merge the new policies with the existing policies.

- `-merge-roles` - Merge the new roles with the existing roles.

- `-merge-service-identities` - Merge the new service identities with the existing service identities.

- `-meta` - Indicates that token metadata such as the content hash and Raft indices should be
  shown for each entry.

- `-node-identity=<value>` - Name of a node identity to use for this role. May
  be specified multiple times. Format is `NODENAME:DATACENTER`. Added in Consul
  1.8.1.

- `-policy-id=<value>` - ID of a policy to use for this token. May be specified multiple times.

- `-policy-name=<value>` - Name of a policy to use for this token. May be specified multiple times.

- `-role-id=<value>` - ID of a role to use for this token. May be specified multiple times.

- `-role-name=<value>` - Name of a role to use for this token. May be specified multiple times.

- `-service-identity=<value>` - Name of a service identity to use for this
  token. May be specified multiple times. Format is the `SERVICENAME` or
  `SERVICENAME:DATACENTER1,DATACENTER2,...`
- `-upgrade-legacy` - Add new polices to a legacy token replacing all existing
  rules. This will cause the legacy token to behave exactly like a new token
  but keep the same secret.

~> When upgrading a legacy token you must ensure that the new policy or policies
specified grant equivalent or appropriate access for the existing clients using
this token. You can find examples on how to use the parameter in the [legacy
token
migration](https://learn.hashicorp.com/consul/day-2-agent-authentication/migrate-acl-tokens)
guide.

- `-format={pretty|json}` - Command output format. The default value is `pretty`.

#### Enterprise Options

@include 'http_api_namespace_options.mdx'

## Examples

Update the anonymous token:

```shell-session
$ consul acl token update -id anonymous -policy-id 06acc
Token updated successfully.
AccessorID:   00000000-0000-0000-0000-000000000002
SecretID:     anonymous
Description:  Anonymous Token
Local:        false
Create Time:  0001-01-01 00:00:00 +0000 UTC
Policies:
   06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
```

Update a token description and take the policies from the existing token:

```shell-session
$ consul acl token update -id 986193 -description "WonderToken" -merge-policies
Token updated successfully.
AccessorID:   986193b5-e2b5-eb26-6264-b524ea60cc6d
SecretID:     ec15675e-2999-d789-832e-8c4794daa8d7
Description:  WonderToken
Local:        false
Create Time:  2018-10-22 15:33:39.01789 -0400 EDT
Policies:
   06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
```
